RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #58 from clems4ever/idle-connection 

Open and close ldap client after each operation to avoid issues with …
pull/61/head
Clément Michaud 2017-07-19 21:05:37 +02:00 committed by GitHub
parent 8f797c025a fd59044f5e
commit b099b74881
39 changed files with 729 additions and 503 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config.template.yml
View File

@ -5,7 +5,7 @@ port: 80
# Log level
#
# Level of verbosity for logs
logs_level: info
logs_level: debug
# LDAP configuration
#

1
src/server/index.ts
View File

@ -19,6 +19,7 @@ const yamlContent = YAML.load(configurationFilepath);
const deps: GlobalDependencies = {
u2f: require("u2f"),
dovehash: require("dovehash"),
nodemailer: require("nodemailer"),
ldapjs: require("ldapjs"),
session: require("express-session"),

8
src/server/lib/Exceptions.ts
View File

@ -15,6 +15,14 @@ export class LdapBindError extends Error {
}
}
export class LdapError extends Error {
constructor(message?: string) {
super(message);
this.name = "LdapError";
Object.setPrototypeOf(this, LdapError.prototype);
}
}
export class IdentityError extends Error {
constructor(message?: string) {
super(message);

2
src/server/lib/Server.ts
View File

@ -8,7 +8,7 @@ import ConfigurationAdapter from "./ConfigurationAdapter";
import { TOTPValidator } from "./TOTPValidator";
import { TOTPGenerator } from "./TOTPGenerator";
import RestApi from "./RestApi";
import { LdapClient } from "./LdapClient";
import { Client } from "./ldap/Client";
import BluebirdPromise = require("bluebird");
import ServerVariables = require("./ServerVariables");
import SessionConfigurationBuilder from "./SessionConfigurationBuilder";

29
src/server/lib/ServerVariables.ts
View File

@ -1,6 +1,9 @@
import winston = require("winston");
import { LdapClient } from "./LdapClient";
import { Authenticator } from "./ldap/Authenticator";
import { PasswordUpdater } from "./ldap/PasswordUpdater";
import { EmailsRetriever } from "./ldap/EmailsRetriever";
import { TOTPValidator } from "./TOTPValidator";
import { TOTPGenerator } from "./TOTPGenerator";
import U2F = require("u2f");
@ -19,7 +22,9 @@ export const VARIABLES_KEY = "authelia-variables";
export interface ServerVariables {
logger: typeof winston;
ldap: LdapClient;
ldapAuthenticator: Authenticator;
ldapPasswordUpdater: PasswordUpdater;
ldapEmailsRetriever: EmailsRetriever;
totpValidator: TOTPValidator;
totpGenerator: TOTPGenerator;
u2f: typeof U2F;
@ -41,7 +46,9 @@ export function fill(app: express.Application, config: Configuration.AppConfigur
const userDataStore = new UserDataStore(datastore_options, deps.nedb);
const regulator = new AuthenticationRegulator(userDataStore, five_minutes);
const notifier = NotifierFactory.build(config.notifier, deps.nodemailer);
const ldap = new LdapClient(config.ldap, deps.ldapjs, deps.winston);
const ldapAuthenticator = new Authenticator(config.ldap, deps.ldapjs, deps.winston);
const ldapPasswordUpdater = new PasswordUpdater(config.ldap, deps.ldapjs, deps.dovehash, deps.winston);
const ldapEmailsRetriever = new EmailsRetriever(config.ldap, deps.ldapjs, deps.winston);
const accessController = new AccessController(config.access_control, deps.winston);
const totpValidator = new TOTPValidator(deps.speakeasy);
const totpGenerator = new TOTPGenerator(deps.speakeasy);
@ -49,7 +56,9 @@ export function fill(app: express.Application, config: Configuration.AppConfigur
const variables: ServerVariables = {
accessController: accessController,
config: config,
ldap: ldap,
ldapAuthenticator: ldapAuthenticator,
ldapPasswordUpdater: ldapPasswordUpdater,
ldapEmailsRetriever: ldapEmailsRetriever,
logger: deps.winston,
notifier: notifier,
regulator: regulator,
@ -74,8 +83,16 @@ export function getNotifier(app: express.Application): INotifier {
return (app.get(VARIABLES_KEY) as ServerVariables).notifier;
}
export function getLdapClient(app: express.Application): LdapClient {
return (app.get(VARIABLES_KEY) as ServerVariables).ldap;
export function getLdapAuthenticator(app: express.Application): Authenticator {
return (app.get(VARIABLES_KEY) as ServerVariables).ldapAuthenticator;
}
export function getLdapPasswordUpdater(app: express.Application): PasswordUpdater {
return (app.get(VARIABLES_KEY) as ServerVariables).ldapPasswordUpdater;
}
export function getLdapEmailsRetriever(app: express.Application): EmailsRetriever {
return (app.get(VARIABLES_KEY) as ServerVariables).ldapEmailsRetriever;
}
export function getConfiguration(app: express.Application): Configuration.AppConfiguration {

54
src/server/lib/ldap/Authenticator.ts 100644
View File

@ -0,0 +1,54 @@
import BluebirdPromise = require("bluebird");
import exceptions = require("../Exceptions");
import ldapjs = require("ldapjs");
import { Client, Attributes } from "./Client";
import { buildUserDN } from "./common";
import { LdapConfiguration } from "./../../../types/Configuration";
import { Winston, Ldapjs, Dovehash } from "../../../types/Dependencies";
export class Authenticator {
private options: LdapConfiguration;
private ldapjs: Ldapjs;
private logger: Winston;
constructor(options: LdapConfiguration, ldapjs: Ldapjs, logger: Winston) {
this.options = options;
this.ldapjs = ldapjs;
this.logger = logger;
}
private createClient(userDN: string, password: string): Client {
return new Client(userDN, password, this.options, this.ldapjs, undefined, this.logger);
}
authenticate(username: string, password: string): BluebirdPromise<Attributes> {
const self = this;
const userDN = buildUserDN(username, this.options);
const userClient = this.createClient(userDN, password);
const adminClient = this.createClient(this.options.user, this.options.password);
let attributes: Attributes;
return userClient.open()
.then(function () {
return userClient.close();
})
.then(function () {
return adminClient.open();
})
.then(function () {
return adminClient.searchEmailsAndGroups(username);
})
.then(function (attr: Attributes) {
attributes = attr;
return adminClient.close();
})
.then(function () {
return BluebirdPromise.resolve(attributes);
})
.error(function (err: Error) {
return BluebirdPromise.reject(new exceptions.LdapError(err.message));
});
}
}

140
src/server/lib/LdapClient.ts → src/server/lib/ldap/Client.ts
View File

@ -1,79 +1,65 @@
import util = require("util");
import BluebirdPromise = require("bluebird");
import exceptions = require("./Exceptions");
import Dovehash = require("dovehash");
import exceptions = require("../Exceptions");
import ldapjs = require("ldapjs");
import { buildUserDN } from "./common";
import { EventEmitter } from "events";
import { LdapConfiguration } from "./../../types/Configuration";
import { Ldapjs } from "../../types/Dependencies";
import { Winston } from "../../types/Dependencies";
import { LdapConfiguration } from "./../../../types/Configuration";
import { Winston, Ldapjs, Dovehash } from "../../../types/Dependencies";
interface SearchEntry {
object: any;
}
export class LdapClient {
private options: LdapConfiguration;
export interface Attributes {
groups: string[];
emails: string[];
}
export class Client {
private userDN: string;
private password: string;
private client: ldapjs.ClientAsync;
private ldapjs: Ldapjs;
private logger: Winston;
private adminClient: ldapjs.ClientAsync;
private dovehash: Dovehash;
private options: LdapConfiguration;
constructor(options: LdapConfiguration, ldapjs: Ldapjs, logger: Winston) {
constructor(userDN: string, password: string, options: LdapConfiguration, ldapjs: Ldapjs, dovehash: Dovehash, logger: Winston) {
this.options = options;
this.ldapjs = ldapjs;
this.dovehash = dovehash;
this.logger = logger;
this.userDN = userDN;
this.password = password;
this.connect();
}
private createClient(): ldapjs.ClientAsync {
const ldapClient = this.ldapjs.createClient({
const ldapClient = ldapjs.createClient({
url: this.options.url,
reconnect: true
});
ldapClient.on("error", function (err: Error) {
console.error("LDAP Error:", err.message);
});
const clientLogger = (ldapClient as any).log;
if (clientLogger) {
clientLogger.level("trace");
}
return BluebirdPromise.promisifyAll(ldapClient) as ldapjs.ClientAsync;
this.client = BluebirdPromise.promisifyAll(ldapClient) as ldapjs.ClientAsync;
}
connect(): BluebirdPromise<void> {
const userDN = this.options.user;
const password = this.options.password;
this.adminClient = this.createClient();
return this.adminClient.bindAsync(userDN, password);
open(): BluebirdPromise<void> {
this.logger.debug("LDAP: Bind user '%s'", this.userDN);
return this.client.bindAsync(this.userDN, this.password)
.error(function (err: Error) {
return BluebirdPromise.reject(new exceptions.LdapBindError(err.message));
});
}
private buildUserDN(username: string): string {
let userNameAttribute = this.options.user_name_attribute;
// if not provided, default to cn
if (!userNameAttribute) userNameAttribute = "cn";
const additionalUserDN = this.options.additional_user_dn;
const base_dn = this.options.base_dn;
let userDN = util.format("%s=%s", userNameAttribute, username);
if (additionalUserDN) userDN += util.format(",%s", additionalUserDN);
userDN += util.format(",%s", base_dn);
return userDN;
}
checkPassword(username: string, password: string): BluebirdPromise<void> {
const userDN = this.buildUserDN(username);
const that = this;
const ldapClient = this.createClient();
this.logger.debug("LDAP: Check password by binding user '%s'", userDN);
return ldapClient.bindAsync(userDN, password)
.then(function () {
that.logger.debug("LDAP: Unbind user '%s'", userDN);
return ldapClient.unbindAsync();
})
close(): BluebirdPromise<void> {
this.logger.debug("LDAP: Unbind user '%s'", this.userDN);
return this.client.unbindAsync()
.error(function (err: Error) {
return BluebirdPromise.reject(new exceptions.LdapBindError(err.message));
});
@ -83,7 +69,7 @@ export class LdapClient {
const that = this;
that.logger.debug("LDAP: Search for '%s' in '%s'", JSON.stringify(query), base);
return that.adminClient.searchAsync(base, query)
return that.client.searchAsync(base, query)
.then(function (res: EventEmitter) {
const doc: SearchEntry[] = [];
@ -97,7 +83,7 @@ export class LdapClient {
reject(new exceptions.LdapSearchError(err.message));
});
res.on("end", function () {
that.logger.debug("LDAP: Result of search is '%s'.", JSON.stringify(doc));
that.logger.debug("LDAP: Search ended and results are '%s'.", JSON.stringify(doc));
resolve(doc);
});
});
@ -107,8 +93,9 @@ export class LdapClient {
});
}
retrieveGroups(username: string): BluebirdPromise<string[]> {
const userDN = this.buildUserDN(username);
private searchGroups(username: string): BluebirdPromise<string[]> {
const that = this;
const userDN = buildUserDN(username, this.options);
const password = this.options.password;
let groupNameAttribute = this.options.group_name_attribute;
@ -127,24 +114,22 @@ export class LdapClient {
filter: "member=" + userDN
};
const that = this;
this.logger.debug("LDAP: get groups of user %s", username);
const groups: string[] = [];
return that.search(groupDN, query)
.then(function (docs) {
for (let i = 0; i < docs.length; ++i) {
groups.push(docs[i].cn);
}
that.logger.debug("LDAP: got groups '%s'", groups);
that.logger.debug("LDAP: groups of user %s are %s", username, groups);
})
.then(function () {
return BluebirdPromise.resolve(groups);
});
}
retrieveEmails(username: string): BluebirdPromise<string[]> {
searchEmails(username: string): BluebirdPromise<string[]> {
const that = this;
const user_dn = this.buildUserDN(username);
const userDN = buildUserDN(username, this.options);
const query = {
scope: "base",
@ -152,8 +137,7 @@ export class LdapClient {
attributes: ["mail"]
};
this.logger.debug("LDAP: get emails of user '%s'", username);
return this.search(user_dn, query)
return this.search(userDN, query)
.then(function (docs) {
const emails = [];
for (let i = 0; i < docs.length; ++i) {
@ -163,29 +147,45 @@ export class LdapClient {
emails.concat(docs[i].mail);
}
}
that.logger.debug("LDAP: got emails '%s'", emails);
that.logger.debug("LDAP: emails of user '%s' are %s", username, emails);
return BluebirdPromise.resolve(emails);
});
}
updatePassword(username: string, newPassword: string): BluebirdPromise<void> {
const user_dn = this.buildUserDN(username);
searchEmailsAndGroups(username: string): BluebirdPromise<Attributes> {
const that = this;
let retrievedEmails: string[], retrievedGroups: string[];
const encoded_password = Dovehash.encode("SSHA", newPassword);
return this.searchEmails(username)
.then(function (emails: string[]) {
retrievedEmails = emails;
return that.searchGroups(username);
})
.then(function (groups: string[]) {
retrievedGroups = groups;
return BluebirdPromise.resolve({
emails: retrievedEmails,
groups: retrievedGroups
});
});
}
modifyPassword(username: string, newPassword: string): BluebirdPromise<void> {
const that = this;
const userDN = buildUserDN(username, this.options);
const encodedPassword = this.dovehash.encode("SSHA", newPassword);
const change = {
operation: "replace",
modification: {
userPassword: encoded_password
userPassword: encodedPassword
}
};
const that = this;
this.logger.debug("LDAP: update password of user '%s'", username);
that.logger.debug("LDAP: modify password");
return that.adminClient.modifyAsync(user_dn, change)
return this.client.modifyAsync(userDN, change)
.then(function () {
return that.adminClient.unbindAsync();
return that.client.unbindAsync();
});
}
}

46
src/server/lib/ldap/EmailsRetriever.ts 100644
View File

@ -0,0 +1,46 @@
import BluebirdPromise = require("bluebird");
import exceptions = require("../Exceptions");
import ldapjs = require("ldapjs");
import { Client } from "./Client";
import { buildUserDN } from "./common";
import { LdapConfiguration } from "./../../../types/Configuration";
import { Winston, Ldapjs, Dovehash } from "../../../types/Dependencies";
export class EmailsRetriever {
private options: LdapConfiguration;
private ldapjs: Ldapjs;
private logger: Winston;
constructor(options: LdapConfiguration, ldapjs: Ldapjs, logger: Winston) {
this.options = options;
this.ldapjs = ldapjs;
this.logger = logger;
}
private createClient(userDN: string, password: string): Client {
return new Client(userDN, password, this.options, this.ldapjs, undefined, this.logger);
}
retrieve(username: string): BluebirdPromise<string[]> {
const userDN = buildUserDN(username, this.options);
const adminClient = this.createClient(this.options.user, this.options.password);
let emails: string[];
return adminClient.open()
.then(function () {
return adminClient.searchEmails(username);
})
.then(function (emails_: string[]) {
emails = emails_;
return adminClient.close();
})
.then(function() {
return BluebirdPromise.resolve(emails);
})
.error(function (err: Error) {
return BluebirdPromise.reject(new exceptions.LdapError("Failed during password update: " + err.message));
});
}
}

43
src/server/lib/ldap/PasswordUpdater.ts 100644
View File

@ -0,0 +1,43 @@
import BluebirdPromise = require("bluebird");
import exceptions = require("../Exceptions");
import ldapjs = require("ldapjs");
import { Client } from "./Client";
import { buildUserDN } from "./common";
import { LdapConfiguration } from "./../../../types/Configuration";
import { Winston, Ldapjs, Dovehash } from "../../../types/Dependencies";
export class PasswordUpdater {
private options: LdapConfiguration;
private ldapjs: Ldapjs;
private logger: Winston;
private dovehash: Dovehash;
constructor(options: LdapConfiguration, ldapjs: Ldapjs, dovehash: Dovehash, logger: Winston) {
this.options = options;
this.ldapjs = ldapjs;
this.logger = logger;
this.dovehash = dovehash;
}
private createClient(userDN: string, password: string): Client {
return new Client(userDN, password, this.options, this.ldapjs, this.dovehash, this.logger);
}
updatePassword(username: string, newPassword: string): BluebirdPromise<void> {
const userDN = buildUserDN(username, this.options);
const adminClient = this.createClient(this.options.user, this.options.password);
return adminClient.open()
.then(function () {
return adminClient.modifyPassword(username, newPassword);
})
.then(function () {
return adminClient.close();
})
.error(function (err: Error) {
return BluebirdPromise.reject(new exceptions.LdapError("Failed during password update: " + err.message));
});
}
}

18
src/server/lib/ldap/common.ts 100644
View File

@ -0,0 +1,18 @@
import util = require("util");
import { LdapConfiguration } from "./../../../types/Configuration";
export function buildUserDN(username: string, options: LdapConfiguration): string {
let userNameAttribute = options.user_name_attribute;
// if not provided, default to cn
if (!userNameAttribute) userNameAttribute = "cn";
const additionalUserDN = options.additional_user_dn;
const base_dn = options.base_dn;
let userDN = util.format("%s=%s", userNameAttribute, username);
if (additionalUserDN) userDN += util.format(",%s", additionalUserDN);
userDN += util.format(",%s", base_dn);
return userDN;
}

23
src/server/lib/routes/firstfactor/post.ts
View File

@ -5,7 +5,7 @@ import BluebirdPromise = require("bluebird");
import express = require("express");
import { AccessController } from "../../access_control/AccessController";
import { AuthenticationRegulator } from "../../AuthenticationRegulator";
import { LdapClient } from "../../LdapClient";
import { Client, Attributes } from "../../ldap/Client";
import Endpoint = require("../../../endpoints");
import ErrorReplies = require("../../ErrorReplies");
import ServerVariables = require("../../ServerVariables");
@ -16,7 +16,7 @@ export default function (req: express.Request, res: express.Response): BluebirdP
const password: string = req.body.password;
const logger = ServerVariables.getLogger(req.app);
const ldap = ServerVariables.getLdapClient(req.app);
const ldap = ServerVariables.getLdapAuthenticator(req.app);
const config = ServerVariables.getConfiguration(req.app);
if (!username || !password) {
@ -36,18 +36,15 @@ export default function (req: express.Request, res: express.Response): BluebirdP
return regulator.regulate(username)
.then(function () {
logger.info("1st factor: No regulation applied.");
return ldap.checkPassword(username, password);
return ldap.authenticate(username, password);
})
.then(function () {
logger.info("1st factor: LDAP binding successful");
.then(function (attributes: Attributes) {
logger.info("1st factor: LDAP binding successful. Retrieved information about user are %s", JSON.stringify(attributes));
authSession.userid = username;
authSession.first_factor = true;
logger.debug("1st factor: Retrieve email from LDAP");
return BluebirdPromise.join(ldap.retrieveEmails(username), ldap.retrieveGroups(username));
})
.then(function (data: [string[], string[]]) {
const emails: string[] = data[0];
const groups: string[] = data[1];
const emails: string[] = attributes.emails;
const groups: string[] = attributes.groups;
if (!emails || emails.length <= 0) {
const errMessage = "No emails found. The user should have at least one email address to reset password.";
@ -55,12 +52,12 @@ export default function (req: express.Request, res: express.Response): BluebirdP
return BluebirdPromise.reject(new Error(errMessage));
}
logger.debug("1st factor: Retrieved email are %s", emails);
logger.debug("1st factor: Retrieved groups are %s", groups);
authSession.email = emails[0];
authSession.groups = groups;
logger.debug("1st factor: Mark successful authentication to regulator.");
regulator.mark(username, true);
logger.debug("1st factor: Redirect to %s", Endpoint.SECOND_FACTOR_GET);
res.redirect(Endpoint.SECOND_FACTOR_GET);
return BluebirdPromise.resolve();

6
src/server/lib/routes/password-reset/form/post.ts
View File

@ -11,10 +11,10 @@ import Constants = require("./../constants");
export default function (req: express.Request, res: express.Response): BluebirdPromise<void> {
const logger = ServerVariables.getLogger(req.app);
const ldap = ServerVariables.getLdapClient(req.app);
const ldapPasswordUpdater = ServerVariables.getLdapPasswordUpdater(req.app);
const authSession = AuthenticationSession.get(req);
const new_password = objectPath.get<express.Request, string>(req, "body.password");
const newPassword = objectPath.get<express.Request, string>(req, "body.password");
const userid = authSession.identity_check.userid;
const challenge = authSession.identity_check.challenge;
@ -26,7 +26,7 @@ export default function (req: express.Request, res: express.Response): BluebirdP
logger.info("POST reset-password: User %s wants to reset his/her password", userid);
return ldap.updatePassword(userid, new_password)
return ldapPasswordUpdater.updatePassword(userid, newPassword)
.then(function () {
logger.info("POST reset-password: Password reset for user '%s'", userid);
AuthenticationSession.reset(req);

4
src/server/lib/routes/password-reset/identity/PasswordResetHandler.ts
View File

@ -25,8 +25,8 @@ export default class PasswordResetHandler implements IdentityValidable {
if (!userid)
return BluebirdPromise.reject(new exceptions.AccessDeniedError("No user id provided"));
const ldap = ServerVariables.getLdapClient(req.app);
return ldap.retrieveEmails(userid)
const emailsRetriever = ServerVariables.getLdapEmailsRetriever(req.app);
return emailsRetriever.retrieve(userid)
.then(function (emails: string[]) {
if (!emails && emails.length <= 0) throw new Error("No email found");

3
src/types/Dependencies.ts
View File

@ -6,7 +6,9 @@ import nedb = require("nedb");
import ldapjs = require("ldapjs");
import u2f = require("u2f");
import RedisSession = require("connect-redis");
import dovehash = require("dovehash");
export type Dovehash = typeof dovehash;
export type Nodemailer = typeof nodemailer;
export type Speakeasy = typeof speakeasy;
export type Winston = typeof winston;
@ -18,6 +20,7 @@ export type ConnectRedis = typeof RedisSession;
export interface GlobalDependencies {
u2f: U2f;
dovehash: Dovehash;
nodemailer: Nodemailer;
ldapjs: Ldapjs;
session: Session;

1
src/types/ldapjs-async.d.ts vendored
View File

@ -4,6 +4,7 @@ import { EventEmitter } from "events";
declare module "ldapjs" {
export interface ClientAsync {
on(event: string, callback: (data?: any) => void): void;
bindAsync(username: string, password: string): BluebirdPromise<void>;
unbindAsync(): BluebirdPromise<void>;
searchAsync(base: string, query: ldapjs.SearchOptions): BluebirdPromise<EventEmitter>;

7
test/unit/server/DataPersistence.test.ts
View File

@ -48,6 +48,8 @@ describe("test data persistence", function () {
})
};
ldapClient.bind.withArgs("cn=admin,dc=example,dc=com",
"password").yields();
ldapClient.bind.withArgs("cn=test_ok,ou=users,dc=example,dc=com",
"password").yields();
ldapClient.bind.withArgs("cn=test_nok,ou=users,dc=example,dc=com",
@ -61,7 +63,7 @@ describe("test data persistence", function () {
ldap: {
url: "ldap://127.0.0.1:389",
base_dn: "ou=users,dc=example,dc=com",
user: "user",
user: "cn=admin,dc=example,dc=com",
password: "password"
},
session: {
@ -108,7 +110,8 @@ describe("test data persistence", function () {
winston: winston,
ldapjs: ldap,
speakeasy: speakeasy,
ConnectRedis: sinon.spy()
ConnectRedis: sinon.spy(),
dovehash: sinon.spy()
};
const j1 = request.jar();

2
test/unit/server/IdentityCheckMiddleware.test.ts
View File

@ -49,7 +49,7 @@ describe("test identity check process", function () {
req.app = {};
const mocks = ServerVariablesMock.mock(req.app);
mocks.logger = winston;
mocks.userDataStore = userDataStore;
mocks.userDataStore = userDataStore as any;
mocks.notifier = notifier;
app = express();

242
test/unit/server/LdapClient.test.ts
View File

@ -1,242 +0,0 @@
import LdapClient = require("../../../src/server/lib/LdapClient");
import { LdapConfiguration } from "../../../src/types/Configuration";
import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import assert = require("assert");
import ldapjs = require("ldapjs");
import winston = require("winston");
import { EventEmitter } from "events";
import { LdapjsMock, LdapjsClientMock } from "./mocks/ldapjs";
describe("test ldap validation", function () {
let ldap: LdapClient.LdapClient;
let ldapClient: LdapjsClientMock;
let ldapjs: LdapjsMock;
let ldapConfig: LdapConfiguration;
beforeEach(function () {
ldapClient = LdapjsClientMock();
ldapjs = LdapjsMock();
ldapjs.createClient.returns(ldapClient);
ldapConfig = {
url: "http://localhost:324",
user: "admin",
password: "password",
base_dn: "dc=example,dc=com",
additional_user_dn: "ou=users"
};
ldap = new LdapClient.LdapClient(ldapConfig, ldapjs, winston);
});
describe("test checking password", test_checking_password);
describe("test get emails from username", test_get_emails);
describe("test get groups from username", test_get_groups);
describe("test update password", test_update_password);
function test_checking_password() {
function test_check_password_internal() {
const username = "username";
const password = "password";
return ldap.checkPassword(username, password);
}
it("should bind the user if good credentials provided", function () {
ldapClient.bind.yields();
ldapClient.unbind.yields();
return test_check_password_internal();
});
it("should bind the user with correct DN", function () {
ldapConfig.user_name_attribute = "uid";
const username = "user";
const password = "password";
ldapClient.bind.withArgs("uid=user,ou=users,dc=example,dc=com").yields();
ldapClient.unbind.yields();
return ldap.checkPassword(username, password);
});
it("should default to cn user search filter if no filter provided", function () {
const username = "user";
const password = "password";
ldapClient.bind.withArgs("cn=user,ou=users,dc=example,dc=com").yields();
ldapClient.unbind.yields();
return ldap.checkPassword(username, password);
});
it("should not bind the user if wrong credentials provided", function () {
ldapClient.bind.yields("wrong credentials");
const promise = test_check_password_internal();
return promise.catch(function () {
return BluebirdPromise.resolve();
});
});
}
function test_get_emails() {
let res_emitter: any;
let expected_doc: any;
beforeEach(function () {
expected_doc = {
object: {
mail: "user@example.com"
}
};
res_emitter = {
on: sinon.spy(function (event: string, fn: (doc: any) => void) {
if (event != "error") fn(expected_doc);
})
};
});
it("should retrieve the email of an existing user", function () {
ldapClient.search.yields(undefined, res_emitter);
return ldap.retrieveEmails("user")
.then(function (emails) {
assert.deepEqual(emails, [expected_doc.object.mail]);
return BluebirdPromise.resolve();
});
});
it("should retrieve email for user with uid name attribute", function () {
ldapConfig.user_name_attribute = "uid";
ldapClient.search.withArgs("uid=username,ou=users,dc=example,dc=com").yields(undefined, res_emitter);
return ldap.retrieveEmails("username")
.then(function (emails) {
assert.deepEqual(emails, ["user@example.com"]);
return BluebirdPromise.resolve();
});
});
it("should fail on error with search method", function () {
const expected_doc = {
mail: ["user@example.com"]
};
ldapClient.search.yields("Error while searching mails");
return ldap.retrieveEmails("user")
.catch(function () {
return BluebirdPromise.resolve();
});
});
}
function test_get_groups() {
let res_emitter: any;
let expected_doc1: any, expected_doc2: any;
beforeEach(function () {
expected_doc1 = {
object: {
cn: "group1"
}
};
expected_doc2 = {
object: {
cn: "group2"
}
};
res_emitter = {
on: sinon.spy(function (event: string, fn: (doc: any) => void) {
if (event != "error") fn(expected_doc1);
if (event != "error") fn(expected_doc2);
})
};
});
it("should retrieve the groups of an existing user", function () {
ldapClient.search.yields(undefined, res_emitter);
return ldap.retrieveGroups("user")
.then(function (groups) {
assert.deepEqual(groups, ["group1", "group2"]);
return BluebirdPromise.resolve();
});
});
it("should reduce the scope to additional_group_dn", function (done) {
ldapConfig.additional_group_dn = "ou=groups";
ldapClient.search.yields(undefined, res_emitter);
ldap.retrieveGroups("user")
.then(function() {
assert.equal(ldapClient.search.getCall(0).args[0], "ou=groups,dc=example,dc=com");
done();
});
});
it("should use default group_name_attr if not provided", function (done) {
ldapClient.search.yields(undefined, res_emitter);
ldap.retrieveGroups("user")
.then(function() {
assert.equal(ldapClient.search.getCall(0).args[0], "dc=example,dc=com");
assert.equal(ldapClient.search.getCall(0).args[1].filter, "member=cn=user,ou=users,dc=example,dc=com");
assert.deepEqual(ldapClient.search.getCall(0).args[1].attributes, ["cn"]);
done();
});
});
it("should fail on error with search method", function () {
ldapClient.search.yields("error");
return ldap.retrieveGroups("user")
.catch(function () {
return BluebirdPromise.resolve();
});
});
}
function test_update_password() {
it("should update the password successfully", function () {
const change = {
operation: "replace",
modification: {
userPassword: "new-password"
}
};
const userdn = "cn=user,ou=users,dc=example,dc=com";
ldapClient.bind.yields();
ldapClient.unbind.yields();
ldapClient.modify.yields();
return ldap.updatePassword("user", "new-password")
.then(function () {
assert.deepEqual(ldapClient.modify.getCall(0).args[0], userdn);
assert.deepEqual(ldapClient.modify.getCall(0).args[1].operation, change.operation);
const userPassword = ldapClient.modify.getCall(0).args[1].modification.userPassword;
assert(/{SSHA}/.test(userPassword));
return BluebirdPromise.resolve();
})
.catch(function(err) { return BluebirdPromise.reject(new Error("It should fail")); });
});
it("should fail when ldap throws an error", function () {
ldapClient.bind.yields(undefined);
ldapClient.modify.yields("Error");
return ldap.updatePassword("user", "new-password")
.catch(function () {
return BluebirdPromise.resolve();
});
});
it("should update password of user using particular user name attribute", function () {
ldapConfig.user_name_attribute = "uid";
ldapClient.bind.yields();
ldapClient.unbind.yields();
ldapClient.modify.withArgs("uid=username,ou=users,dc=example,dc=com").yields();
return ldap.updatePassword("username", "newpass");
});
}
});

19
test/unit/server/ServerConfiguration.test.ts
View File

@ -1,6 +1,6 @@
import assert = require("assert");
import sinon = require("sinon");
import Sinon = require("sinon");
import nedb = require("nedb");
import express = require("express");
import winston = require("winston");
@ -16,17 +16,17 @@ import Server from "../../../src/server/lib/Server";
describe("test server configuration", function () {
let deps: GlobalDependencies;
let sessionMock: sinon.SinonSpy;
let sessionMock: Sinon.SinonSpy;
before(function () {
const transporter = {
sendMail: sinon.stub().yields()
sendMail: Sinon.stub().yields()
};
const createTransport = sinon.stub(nodemailer, "createTransport");
const createTransport = Sinon.stub(nodemailer, "createTransport");
createTransport.returns(transporter);
sessionMock = sinon.spy(session);
sessionMock = Sinon.spy(session);
deps = {
nodemailer: nodemailer,
@ -35,15 +35,16 @@ describe("test server configuration", function () {
nedb: nedb,
winston: winston,
ldapjs: {
createClient: sinon.spy(function () {
createClient: Sinon.spy(function () {
return {
on: sinon.spy(),
bind: sinon.spy(),
on: Sinon.spy(),
bind: Sinon.spy(),
};
})
},
session: sessionMock as any,
ConnectRedis: sinon.spy()
ConnectRedis: Sinon.spy(),
dovehash: Sinon.spy() as any
};
});

42
test/unit/server/SessionConfigurationBuilder.test.ts
View File

@ -3,7 +3,7 @@ import { AppConfiguration } from "../../../src/types/Configuration";
import { GlobalDependencies } from "../../../src/types/Dependencies";
import ExpressSession = require("express-session");
import ConnectRedis = require("connect-redis");
import sinon = require("sinon");
import Sinon = require("sinon");
import Assert = require("assert");
describe("test session configuration builder", function () {
@ -36,14 +36,15 @@ describe("test session configuration builder", function () {
};
const deps: GlobalDependencies = {
ConnectRedis: sinon.spy() as any,
ldapjs: sinon.spy() as any,
nedb: sinon.spy() as any,
nodemailer: sinon.spy() as any,
session: sinon.spy() as any,
speakeasy: sinon.spy() as any,
u2f: sinon.spy() as any,
winston: sinon.spy() as any
ConnectRedis: Sinon.spy() as any,
ldapjs: Sinon.spy() as any,
nedb: Sinon.spy() as any,
nodemailer: Sinon.spy() as any,
session: Sinon.spy() as any,
speakeasy: Sinon.spy() as any,
u2f: Sinon.spy() as any,
winston: Sinon.spy() as any,
dovehash: Sinon.spy() as any
};
const options = SessionConfigurationBuilder.build(configuration, deps);
@ -94,17 +95,18 @@ describe("test session configuration builder", function () {
store_in_memory: true
};
const RedisStoreMock = sinon.spy();
const RedisStoreMock = Sinon.spy();
const deps: GlobalDependencies = {
ConnectRedis: sinon.stub().returns(RedisStoreMock) as any,
ldapjs: sinon.spy() as any,
nedb: sinon.spy() as any,
nodemailer: sinon.spy() as any,
session: sinon.spy() as any,
speakeasy: sinon.spy() as any,
u2f: sinon.spy() as any,
winston: sinon.spy() as any
ConnectRedis: Sinon.stub().returns(RedisStoreMock) as any,
ldapjs: Sinon.spy() as any,
nedb: Sinon.spy() as any,
nodemailer: Sinon.spy() as any,
session: Sinon.spy() as any,
speakeasy: Sinon.spy() as any,
u2f: Sinon.spy() as any,
winston: Sinon.spy() as any,
dovehash: Sinon.spy() as any
};
const options = SessionConfigurationBuilder.build(configuration, deps);
@ -118,10 +120,10 @@ describe("test session configuration builder", function () {
maxAge: 3600,
domain: "example.com"
},
store: sinon.match.object as any
store: Sinon.match.object as any
};
Assert((deps.ConnectRedis as sinon.SinonStub).calledWith(deps.session));
Assert((deps.ConnectRedis as Sinon.SinonStub).calledWith(deps.session));
Assert.equal(options.secret, expectedOptions.secret);
Assert.equal(options.resave, expectedOptions.resave);
Assert.equal(options.saveUninitialized, expectedOptions.saveUninitialized);

125
test/unit/server/ldap/Authenticator.test.ts 100644
View File

@ -0,0 +1,125 @@
import { Authenticator } from "../../../../src/server/lib/ldap/Authenticator";
import { LdapConfiguration } from "../../../../src/types/Configuration";
import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import assert = require("assert");
import ldapjs = require("ldapjs");
import winston = require("winston");
import { EventEmitter } from "events";
import { LdapjsMock, LdapjsClientMock } from "../mocks/ldapjs";
describe("test ldap authentication", function () {
let authenticator: Authenticator;
let ldapClient: LdapjsClientMock;
let ldapjs: LdapjsMock;
let ldapConfig: LdapConfiguration;
let adminUserDN: string;
let adminPassword: string;
function retrieveEmailsAndGroups(ldapClient: LdapjsClientMock) {
const email0 = {
object: {
mail: "user@example.com"
}
};
const email1 = {
object: {
mail: "user@example1.com"
}
};
const group0 = {
object: {
group: "group0"
}
};
const emailsEmitter = {
on: sinon.spy(function (event: string, fn: (doc: any) => void) {
if (event != "error") fn(email0);
if (event != "error") fn(email1);
})
};
const groupsEmitter = {
on: sinon.spy(function (event: string, fn: (doc: any) => void) {
if (event != "error") fn(group0);
})
};
ldapClient.search.onCall(0).yields(undefined, emailsEmitter);
ldapClient.search.onCall(1).yields(undefined, groupsEmitter);
}
beforeEach(function () {
ldapClient = LdapjsClientMock();
ldapjs = LdapjsMock();
ldapjs.createClient.returns(ldapClient);
// winston.level = "debug";
adminUserDN = "cn=admin,dc=example,dc=com";
adminPassword = "password";
ldapConfig = {
url: "http://localhost:324",
user: adminUserDN,
password: adminPassword,
base_dn: "dc=example,dc=com",
additional_user_dn: "ou=users"
};
authenticator = new Authenticator(ldapConfig, ldapjs, winston);
});
function test_check_password_internal() {
const username = "username";
const password = "password";
return authenticator.authenticate(username, password);
}
describe("success", function () {
beforeEach(function () {
retrieveEmailsAndGroups(ldapClient);
ldapClient.bind.withArgs(adminUserDN, adminPassword).yields();
ldapClient.unbind.yields();
});
it("should bind the user if good credentials provided", function () {
ldapClient.bind.withArgs("cn=username,ou=users,dc=example,dc=com", "password").yields();
return test_check_password_internal();
});
it("should bind the user with correct DN", function () {
ldapConfig.user_name_attribute = "uid";
ldapClient.bind.withArgs("uid=username,ou=users,dc=example,dc=com", "password").yields();
return test_check_password_internal();
});
});
describe("failure", function () {
it("should not bind the user if wrong credentials provided", function () {
ldapClient.bind.yields("wrong credentials");
return test_check_password_internal()
.catch(function () {
return BluebirdPromise.resolve();
});
});
it("should not bind the user if search of emails or group fails", function () {
ldapClient.bind.withArgs("cn=username,ou=users,dc=example,dc=com", "password").yields();
ldapClient.bind.withArgs(adminUserDN, adminPassword).yields();
ldapClient.unbind.yields();
ldapClient.search.yields("wrong credentials");
return test_check_password_internal()
.catch(function () {
return BluebirdPromise.resolve();
});
});
});
});

94
test/unit/server/ldap/EmailsRetriever.test.ts 100644
View File

@ -0,0 +1,94 @@
import { EmailsRetriever } from "../../../../src/server/lib/ldap/EmailsRetriever";
import { LdapConfiguration } from "../../../../src/types/Configuration";
import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import assert = require("assert");
import ldapjs = require("ldapjs");
import winston = require("winston");
import { EventEmitter } from "events";
import { LdapjsMock, LdapjsClientMock } from "../mocks/ldapjs";
describe("test emails retriever", function () {
let emailsRetriever: EmailsRetriever;
let ldapClient: LdapjsClientMock;
let ldapjs: LdapjsMock;
let ldapConfig: LdapConfiguration;
let adminUserDN: string;
let adminPassword: string;
beforeEach(function () {
ldapClient = LdapjsClientMock();
ldapjs = LdapjsMock();
ldapjs.createClient.returns(ldapClient);
// winston.level = "debug";
adminUserDN = "cn=admin,dc=example,dc=com";
adminPassword = "password";
ldapConfig = {
url: "http://localhost:324",
user: adminUserDN,
password: adminPassword,
base_dn: "dc=example,dc=com",
additional_user_dn: "ou=users"
};
emailsRetriever = new EmailsRetriever(ldapConfig, ldapjs, winston);
});
function retrieveEmails(ldapClient: LdapjsClientMock) {
const email0 = {
object: {
mail: "user@example.com"
}
};
const email1 = {
object: {
mail: "user@example1.com"
}
};
const emailsEmitter = {
on: sinon.spy(function (event: string, fn: (doc: any) => void) {
if (event != "error") fn(email0);
if (event != "error") fn(email1);
})
};
ldapClient.search.onCall(0).yields(undefined, emailsEmitter);
}
function test_emails_retrieval() {
const username = "username";
return emailsRetriever.retrieve(username);
}
describe("success", function () {
beforeEach(function () {
ldapClient.bind.withArgs(adminUserDN, adminPassword).yields();
ldapClient.unbind.yields();
});
it("should update the password successfully", function () {
retrieveEmails(ldapClient);
return test_emails_retrieval();
});
});
describe("failure", function () {
it("should fail retrieving emails when search operation fails", function () {
ldapClient.bind.withArgs(adminUserDN, adminPassword).yields();
ldapClient.search.yields("wrong credentials");
return test_emails_retrieval()
.catch(function () {
return BluebirdPromise.resolve();
});
});
});
});

83
test/unit/server/ldap/PasswordUpdater.test.ts 100644
View File

@ -0,0 +1,83 @@
import { PasswordUpdater } from "../../../../src/server/lib/ldap/PasswordUpdater";
import { LdapConfiguration } from "../../../../src/types/Configuration";
import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import assert = require("assert");
import ldapjs = require("ldapjs");
import winston = require("winston");
import { EventEmitter } from "events";
import { LdapjsMock, LdapjsClientMock } from "../mocks/ldapjs";
describe("test password update", function () {
let passwordUpdater: PasswordUpdater;
let ldapClient: LdapjsClientMock;
let ldapjs: LdapjsMock;
let ldapConfig: LdapConfiguration;
let adminUserDN: string;
let adminPassword: string;
let dovehash: any;
beforeEach(function () {
ldapClient = LdapjsClientMock();
ldapjs = LdapjsMock();
ldapjs.createClient.returns(ldapClient);
// winston.level = "debug";
adminUserDN = "cn=admin,dc=example,dc=com";
adminPassword = "password";
ldapConfig = {
url: "http://localhost:324",
user: adminUserDN,
password: adminPassword,
base_dn: "dc=example,dc=com",
additional_user_dn: "ou=users"
};
dovehash = {
encode: sinon.stub()
};
passwordUpdater = new PasswordUpdater(ldapConfig, ldapjs, dovehash, winston);
});
function test_update_password() {
const username = "username";
const newpassword = "newpassword";
return passwordUpdater.updatePassword(username, newpassword);
}
describe("success", function () {
beforeEach(function () {
ldapClient.bind.withArgs(adminUserDN, adminPassword).yields();
ldapClient.unbind.yields();
});
it("should update the password successfully", function () {
dovehash.encode.returns("{SSHA}AQmxaKfobGY9HSQa6aDYkAWOgPGNhGYn");
ldapClient.modify.withArgs("cn=username,ou=users,dc=example,dc=com", {
operation: "replace",
modification: {
userPassword: "{SSHA}AQmxaKfobGY9HSQa6aDYkAWOgPGNhGYn"
}
}).yields();
return test_update_password();
});
});
describe("failure", function () {
it("should fail updating password when modify operation fails", function () {
ldapClient.bind.withArgs(adminUserDN, adminPassword).yields();
ldapClient.modify.yields("wrong credentials");
return test_update_password()
.catch(function () {
return BluebirdPromise.resolve();
});
});
});
});

20
test/unit/server/mocks/LdapClient.ts
View File

@ -1,20 +0,0 @@
import sinon = require("sinon");
export interface LdapClientMock {
checkPassword: sinon.SinonStub;
retrieveEmails: sinon.SinonStub;
retrieveGroups: sinon.SinonStub;
search: sinon.SinonStub;
updatePassword: sinon.SinonStub;
}
export function LdapClientMock(): LdapClientMock {
return {
checkPassword: sinon.stub(),
retrieveEmails: sinon.stub(),
retrieveGroups: sinon.stub(),
search: sinon.stub(),
updatePassword: sinon.stub()
};
}

26
test/unit/server/mocks/ServerVariablesMock.ts
View File

@ -16,18 +16,20 @@ export interface ServerVariablesMock {
}
export function mock(app: express.Application): ServerVariablesMock {
const mocks: ServerVariablesMock = {
accessController: sinon.stub(),
config: sinon.stub(),
ldap: sinon.stub(),
logger: sinon.stub(),
notifier: sinon.stub(),
regulator: sinon.stub(),
totpGenerator: sinon.stub(),
totpValidator: sinon.stub(),
u2f: sinon.stub(),
userDataStore: sinon.stub()
export function mock(app: express.Application): ServerVariables {
const mocks: ServerVariables = {
accessController: sinon.stub() as any,
config: sinon.stub() as any,
ldapAuthenticator: sinon.stub() as any,
ldapEmailsRetriever: sinon.stub() as any,
ldapPasswordUpdater: sinon.stub() as any,
logger: sinon.stub() as any,
notifier: sinon.stub() as any,
regulator: sinon.stub() as any,
totpGenerator: sinon.stub() as any,
totpValidator: sinon.stub() as any,
u2f: sinon.stub() as any,
userDataStore: sinon.stub() as any,
};
app.get = sinon.stub().withArgs(VARIABLES_KEY).returns(mocks);
return mocks;

63
test/unit/server/routes/firstfactor/post.test.ts
View File

@ -11,9 +11,9 @@ import Endpoints = require("../../../../../src/server/endpoints");
import AuthenticationRegulatorMock = require("../../mocks/AuthenticationRegulator");
import AccessControllerMock = require("../../mocks/AccessController");
import { LdapClientMock } from "../../mocks/LdapClient";
import ExpressMock = require("../../mocks/express");
import ServerVariablesMock = require("../../mocks/ServerVariablesMock");
import { ServerVariables } from "../../../../../src/server/lib/ServerVariables";
describe("test the first factor validation route", function () {
let req: ExpressMock.RequestMock;
@ -21,9 +21,9 @@ describe("test the first factor validation route", function () {
let emails: string[];
let groups: string[];
let configuration;
let ldapMock: LdapClientMock;
let regulator: AuthenticationRegulatorMock.AuthenticationRegulatorMock;
let accessController: AccessControllerMock.AccessControllerMock;
let serverVariables: ServerVariables;
beforeEach(function () {
configuration = {
@ -36,8 +36,6 @@ describe("test the first factor validation route", function () {
emails = ["test_ok@example.com"];
groups = ["group1", "group2" ];
ldapMock = LdapClientMock();
accessController = AccessControllerMock.AccessControllerMock();
accessController.isDomainAllowedForUser.returns(true);
@ -61,19 +59,24 @@ describe("test the first factor validation route", function () {
AuthenticationSession.reset(req as any);
const mocks = ServerVariablesMock.mock(req.app);
mocks.ldap = ldapMock;
mocks.config = configuration;
mocks.logger = winston;
mocks.regulator = regulator;
mocks.accessController = accessController;
serverVariables = ServerVariablesMock.mock(req.app);
serverVariables.ldapAuthenticator = {
authenticate: sinon.stub()
} as any;
serverVariables.config = configuration as any;
serverVariables.logger = winston as any;
serverVariables.regulator = regulator as any;
serverVariables.accessController = accessController as any;
res = ExpressMock.ResponseMock();
});
it("should redirect client to second factor page", function () {
ldapMock.checkPassword.withArgs("username").returns(BluebirdPromise.resolve());
ldapMock.retrieveEmails.returns(BluebirdPromise.resolve(emails));
(serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
.returns(BluebirdPromise.resolve({
emails: emails,
groups: groups
}));
const authSession = AuthenticationSession.get(req as any);
return FirstFactorPost.default(req as any, res as any)
.then(function () {
@ -83,24 +86,28 @@ describe("test the first factor validation route", function () {
});
it("should retrieve email from LDAP", function () {
ldapMock.checkPassword.returns(BluebirdPromise.resolve());
ldapMock.retrieveEmails = sinon.stub().withArgs("username").returns(BluebirdPromise.resolve([{ mail: ["test@example.com"] }]));
(serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
.returns(BluebirdPromise.resolve([{ mail: ["test@example.com"] }]));
return FirstFactorPost.default(req as any, res as any);
});
it("should set first email address as user session variable", function () {
const emails = ["test_ok@example.com"];
const authSession = AuthenticationSession.get(req as any);
ldapMock.checkPassword.returns(BluebirdPromise.resolve());
ldapMock.retrieveEmails.returns(BluebirdPromise.resolve(emails));
(serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
.returns(BluebirdPromise.resolve({
emails: emails,
groups: groups
}));
return FirstFactorPost.default(req as any, res as any)
.then(function () {
assert.equal("test_ok@example.com", authSession.email);
});
});
it("should return status code 401 when LDAP binding throws", function () {
ldapMock.checkPassword.returns(BluebirdPromise.reject(new exceptions.LdapBindError("Bad credentials")));
it("should return status code 401 when LDAP authenticator throws", function () {
(serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
.returns(BluebirdPromise.reject(new exceptions.LdapBindError("Bad credentials")));
return FirstFactorPost.default(req as any, res as any)
.then(function () {
assert.equal(401, res.status.getCall(0).args[0]);
@ -108,15 +115,6 @@ describe("test the first factor validation route", function () {
});
});
it("should return status code 500 when LDAP search throws", function () {
ldapMock.checkPassword.returns(BluebirdPromise.resolve());
ldapMock.retrieveEmails.returns(BluebirdPromise.reject(new exceptions.LdapSearchError("error while retrieving emails")));
return FirstFactorPost.default(req as any, res as any)
.then(function () {
assert.equal(500, res.status.getCall(0).args[0]);
});
});
it("should return status code 403 when regulator rejects authentication", function () {
const err = new exceptions.AuthenticationRegulationError("Authentication regulation...");
regulator.regulate.returns(BluebirdPromise.reject(err));
@ -126,17 +124,6 @@ describe("test the first factor validation route", function () {
assert.equal(1, res.send.callCount);
});
});
it("should fail when admin user does not have rights to retrieve attribute mail", function () {
ldapMock.checkPassword.returns(BluebirdPromise.resolve());
ldapMock.retrieveEmails = sinon.stub().withArgs("username").returns(BluebirdPromise.resolve([]));
ldapMock.retrieveGroups = sinon.stub().withArgs("username").returns(BluebirdPromise.resolve(["group1"]));
return FirstFactorPost.default(req as any, res as any)
.then(function () {
assert.equal(500, res.status.getCall(0).args[0]);
assert.equal(1, res.send.callCount);
});
});
});

40
test/unit/server/routes/password-reset/identity/PasswordResetHandler.test.ts
View File

@ -1,22 +1,22 @@
import PasswordResetHandler from "../../../../../../src/server/lib/routes/password-reset/identity/PasswordResetHandler";
import LdapClient = require("../../../../../../src/server/lib/LdapClient");
import PasswordUpdater = require("../../../../../../src/server/lib/ldap/PasswordUpdater");
import { ServerVariables } from "../../../../../../src/server/lib/ServerVariables";
import sinon = require("sinon");
import winston = require("winston");
import assert = require("assert");
import BluebirdPromise = require("bluebird");
import ExpressMock = require("../../../mocks/express");
import { LdapClientMock } from "../../../mocks/LdapClient";
import { UserDataStore } from "../../../mocks/UserDataStore";
import ServerVariablesMock = require("../../../mocks/ServerVariablesMock");
describe("test reset password identity check", function () {
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
let user_data_store: UserDataStore;
let ldap_client: LdapClientMock;
let userDataStore: UserDataStore;
let configuration: any;
let serverVariables: ServerVariables;
beforeEach(function () {
req = {
@ -43,15 +43,15 @@ describe("test reset password identity check", function () {
inMemoryOnly: true
};
const mocks = ServerVariablesMock.mock(req.app);
serverVariables = ServerVariablesMock.mock(req.app);
user_data_store = UserDataStore();
user_data_store.set_u2f_meta.returns(BluebirdPromise.resolve({}));
user_data_store.get_u2f_meta.returns(BluebirdPromise.resolve({}));
user_data_store.issue_identity_check_token.returns(BluebirdPromise.resolve({}));
user_data_store.consume_identity_check_token.returns(BluebirdPromise.resolve({}));
mocks.userDataStore = user_data_store;
userDataStore = UserDataStore();
userDataStore.set_u2f_meta.returns(BluebirdPromise.resolve({}));
userDataStore.get_u2f_meta.returns(BluebirdPromise.resolve({}));
userDataStore.issue_identity_check_token.returns(BluebirdPromise.resolve({}));
userDataStore.consume_identity_check_token.returns(BluebirdPromise.resolve({}));
serverVariables.userDataStore = userDataStore as any;
configuration = {
@ -61,11 +61,11 @@ describe("test reset password identity check", function () {
}
};
mocks.logger = winston;
mocks.config = configuration;
ldap_client = LdapClientMock();
mocks.ldap = ldap_client;
serverVariables.logger = winston;
serverVariables.config = configuration;
serverVariables.ldapEmailsRetriever = {
retrieve: sinon.stub()
} as any;
res = ExpressMock.ResponseMock();
});
@ -82,7 +82,7 @@ describe("test reset password identity check", function () {
});
it("should fail if ldap fail", function (done) {
ldap_client.retrieveEmails.returns(BluebirdPromise.reject("Internal error"));
(serverVariables.ldapEmailsRetriever as any).retrieve.returns(BluebirdPromise.reject("Internal error"));
new PasswordResetHandler().preValidationInit(req as any)
.catch(function (err: Error) {
done();
@ -91,16 +91,16 @@ describe("test reset password identity check", function () {
it("should perform a search in ldap to find email address", function (done) {
configuration.ldap.user_name_attribute = "uid";
ldap_client.retrieveEmails.returns(BluebirdPromise.resolve([]));
(serverVariables.ldapEmailsRetriever as any).retrieve.returns(BluebirdPromise.resolve([]));
new PasswordResetHandler().preValidationInit(req as any)
.then(function () {
assert.equal("user", ldap_client.retrieveEmails.getCall(0).args[0]);
assert.equal("user", (serverVariables.ldapEmailsRetriever as any).retrieve.getCall(0).args[0]);
done();
});
});
it("should returns identity when ldap replies", function (done) {
ldap_client.retrieveEmails.returns(BluebirdPromise.resolve(["test@example.com"]));
(serverVariables.ldapEmailsRetriever as any).retrieve.returns(BluebirdPromise.resolve(["test@example.com"]));
new PasswordResetHandler().preValidationInit(req as any)
.then(function () {
done();

37
test/unit/server/routes/password-reset/post.test.ts
View File

@ -1,24 +1,24 @@
import PasswordResetFormPost = require("../../../../../src/server/lib/routes/password-reset/form/post");
import LdapClient = require("../../../../../src/server/lib/LdapClient");
import { PasswordUpdater } from "../../../../../src/server/lib/ldap/PasswordUpdater";
import AuthenticationSession = require("../../../../../src/server/lib/AuthenticationSession");
import { ServerVariables } from "../../../../../src/server/lib/ServerVariables";
import sinon = require("sinon");
import winston = require("winston");
import assert = require("assert");
import BluebirdPromise = require("bluebird");
import ExpressMock = require("../../mocks/express");
import { LdapClientMock } from "../../mocks/LdapClient";
import { UserDataStore } from "../../mocks/UserDataStore";
import ServerVariablesMock = require("../../mocks/ServerVariablesMock");
describe("test reset password route", function () {
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
let user_data_store: UserDataStore;
let ldapClient: LdapClientMock;
let userDataStore: UserDataStore;
let configuration: any;
let authSession: AuthenticationSession.AuthenticationSession;
let serverVariables: ServerVariables;
beforeEach(function () {
req = {
@ -45,13 +45,13 @@ describe("test reset password route", function () {
inMemoryOnly: true
};
const mocks = ServerVariablesMock.mock(req.app);
user_data_store = UserDataStore();
user_data_store.set_u2f_meta.returns(BluebirdPromise.resolve({}));
user_data_store.get_u2f_meta.returns(BluebirdPromise.resolve({}));
user_data_store.issue_identity_check_token.returns(BluebirdPromise.resolve({}));
user_data_store.consume_identity_check_token.returns(BluebirdPromise.resolve({}));
mocks.userDataStore = user_data_store;
serverVariables = ServerVariablesMock.mock(req.app);
userDataStore = UserDataStore();
userDataStore.set_u2f_meta.returns(BluebirdPromise.resolve({}));
userDataStore.get_u2f_meta.returns(BluebirdPromise.resolve({}));
userDataStore.issue_identity_check_token.returns(BluebirdPromise.resolve({}));
userDataStore.consume_identity_check_token.returns(BluebirdPromise.resolve({}));
serverVariables.userDataStore = userDataStore as any;
configuration = {
@ -61,11 +61,12 @@ describe("test reset password route", function () {
}
};
mocks.logger = winston;
mocks.config = configuration;
serverVariables.logger = winston;
serverVariables.config = configuration;
ldapClient = LdapClientMock();
mocks.ldap = ldapClient;
serverVariables.ldapPasswordUpdater = {
updatePassword: sinon.stub()
} as any;
res = ExpressMock.ResponseMock();
});
@ -79,8 +80,7 @@ describe("test reset password route", function () {
req.body = {};
req.body.password = "new-password";
ldapClient.updatePassword.returns(BluebirdPromise.resolve());
ldapClient.checkPassword.returns(BluebirdPromise.resolve());
(serverVariables.ldapPasswordUpdater.updatePassword as sinon.SinonStub).returns(BluebirdPromise.resolve());
return PasswordResetFormPost.default(req as any, res as any)
.then(function () {
const authSession = AuthenticationSession.get(req as any);
@ -111,8 +111,7 @@ describe("test reset password route", function () {
req.body = {};
req.body.password = "new-password";
ldapClient.checkPassword.yields(undefined);
ldapClient.updatePassword.returns(BluebirdPromise.reject("Internal error with LDAP"));
(serverVariables.ldapPasswordUpdater.updatePassword as sinon.SinonStub).returns(BluebirdPromise.reject("Internal error with LDAP"));
res.send = sinon.spy(function () {
assert.equal(res.status.getCall(0).args[0], 500);
done();

2
test/unit/server/routes/secondfactor/totp/register/RegistrationHandler.test.ts
View File

@ -43,7 +43,7 @@ describe("test totp register", function () {
userDataStore.issue_identity_check_token = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.consume_identity_check_token = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.set_totp_secret = sinon.stub().returns(BluebirdPromise.resolve({}));
mocks.userDataStore = userDataStore;
mocks.userDataStore = userDataStore as any;
res = ExpressMock.ResponseMock();
});

6
test/unit/server/routes/secondfactor/totp/sign/post.test.ts
View File

@ -53,9 +53,9 @@ describe("test totp route", function () {
userDataStore.get_totp_secret.returns(BluebirdPromise.resolve(doc));
mocks.logger = winston;
mocks.totpValidator = totpValidator;
mocks.config = config;
mocks.userDataStore = userDataStore;
mocks.totpValidator = totpValidator as any;
mocks.config = config as any;
mocks.userDataStore = userDataStore as any;
});

2
test/unit/server/routes/secondfactor/u2f/identity/RegistrationHandler.test.ts
View File

@ -41,7 +41,7 @@ describe("test register handler", function () {
userDataStore.get_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.issue_identity_check_token = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.consume_identity_check_token = sinon.stub().returns(BluebirdPromise.resolve({}));
mocks.userDataStore = userDataStore;
mocks.userDataStore = userDataStore as any;
res = ExpressMock.ResponseMock();
res.send = sinon.spy();

5
test/unit/server/routes/secondfactor/u2f/register/post.test.ts
View File

@ -4,6 +4,7 @@ import BluebirdPromise = require("bluebird");
import assert = require("assert");
import U2FRegisterPost = require("../../../../../../../src/server/lib/routes/secondfactor/u2f/register/post");
import AuthenticationSession = require("../../../../../../../src/server/lib/AuthenticationSession");
import { ServerVariables } from "../../../../../../../src/server/lib/ServerVariables";
import winston = require("winston");
import ExpressMock = require("../../../../mocks/express");
@ -16,7 +17,7 @@ describe("test u2f routes: register", function () {
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
let userDataStore: UserDataStoreMock.UserDataStore;
let mocks: ServerVariablesMock.ServerVariablesMock;
let mocks: ServerVariables;
let authSession: AuthenticationSession.AuthenticationSession;
beforeEach(function () {
@ -46,7 +47,7 @@ describe("test u2f routes: register", function () {
userDataStore = UserDataStoreMock.UserDataStore();
userDataStore.set_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.get_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
mocks.userDataStore = userDataStore;
mocks.userDataStore = userDataStore as any;
res = ExpressMock.ResponseMock();
res.send = sinon.spy();

5
test/unit/server/routes/secondfactor/u2f/register_request/get.test.ts
View File

@ -4,6 +4,7 @@ import BluebirdPromise = require("bluebird");
import assert = require("assert");
import U2FRegisterRequestGet = require("../../../../../../../src/server/lib/routes/secondfactor/u2f/register_request/get");
import AuthenticationSession = require("../../../../../../../src/server/lib/AuthenticationSession");
import { ServerVariables } from "../../../../../../../src/server/lib/ServerVariables";
import winston = require("winston");
import ExpressMock = require("../../../../mocks/express");
@ -16,7 +17,7 @@ describe("test u2f routes: register_request", function () {
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
let userDataStore: UserDataStoreMock.UserDataStore;
let mocks: ServerVariablesMock.ServerVariablesMock;
let mocks: ServerVariables;
let authSession: AuthenticationSession.AuthenticationSession;
beforeEach(function () {
@ -46,7 +47,7 @@ describe("test u2f routes: register_request", function () {
userDataStore = UserDataStoreMock.UserDataStore();
userDataStore.set_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.get_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
mocks.userDataStore = userDataStore;
mocks.userDataStore = userDataStore as any;
res = ExpressMock.ResponseMock();
res.send = sinon.spy();

5
test/unit/server/routes/secondfactor/u2f/sign/post.test.ts
View File

@ -4,6 +4,7 @@ import BluebirdPromise = require("bluebird");
import assert = require("assert");
import U2FSignPost = require("../../../../../../../src/server/lib/routes/secondfactor/u2f/sign/post");
import AuthenticationSession = require("../../../../../../../src/server/lib/AuthenticationSession");
import { ServerVariables } from "../../../../../../../src/server/lib/ServerVariables";
import winston = require("winston");
import ExpressMock = require("../../../../mocks/express");
@ -16,7 +17,7 @@ describe("test u2f routes: sign", function () {
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
let userDataStore: UserDataStoreMock.UserDataStore;
let mocks: ServerVariablesMock.ServerVariablesMock;
let mocks: ServerVariables;
let authSession: AuthenticationSession.AuthenticationSession;
beforeEach(function () {
@ -46,7 +47,7 @@ describe("test u2f routes: sign", function () {
userDataStore = UserDataStoreMock.UserDataStore();
userDataStore.set_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.get_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
mocks.userDataStore = userDataStore;
mocks.userDataStore = userDataStore as any;
res = ExpressMock.ResponseMock();
res.send = sinon.spy();

5
test/unit/server/routes/secondfactor/u2f/sign_request/get.test.ts
View File

@ -4,6 +4,7 @@ import BluebirdPromise = require("bluebird");
import assert = require("assert");
import U2FSignRequestGet = require("../../../../../../../src/server/lib/routes/secondfactor/u2f/sign_request/get");
import AuthenticationSession = require("../../../../../../../src/server/lib/AuthenticationSession");
import { ServerVariables } from "../../../../../../../src/server/lib/ServerVariables";
import winston = require("winston");
import ExpressMock = require("../../../../mocks/express");
@ -18,7 +19,7 @@ describe("test u2f routes: sign_request", function () {
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
let userDataStore: UserDataStoreMock.UserDataStore;
let mocks: ServerVariablesMock.ServerVariablesMock;
let mocks: ServerVariables;
let authSession: AuthenticationSession.AuthenticationSession;
beforeEach(function () {
@ -50,7 +51,7 @@ describe("test u2f routes: sign_request", function () {
userDataStore = UserDataStoreMock.UserDataStore();
userDataStore.set_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
userDataStore.get_u2f_meta = sinon.stub().returns(BluebirdPromise.resolve({}));
mocks.userDataStore = userDataStore;
mocks.userDataStore = userDataStore as any;
res = ExpressMock.ResponseMock();
res.send = sinon.spy();

4
test/unit/server/routes/verify/get.test.ts
View File

@ -27,9 +27,9 @@ describe("test authentication token verification", function () {
req.headers = {};
req.headers.host = "secret.example.com";
const mocks = ServerVariablesMock.mock(req.app);
mocks.config = {};
mocks.config = {} as any;
mocks.logger = winston;
mocks.accessController = accessController;
mocks.accessController = accessController as any;
});
it("should be already authenticated", function (done) {

5
test/unit/server/server/PrivatePages.ts
View File

@ -1,7 +1,5 @@
import Server from "../../../../src/server/lib/Server";
import LdapClient = require("../../../../src/server/lib/LdapClient");
import BluebirdPromise = require("bluebird");
import speakeasy = require("speakeasy");
import request = require("request");
@ -108,7 +106,8 @@ describe("Private pages of the server must not be accessible without session", f
session: ExpressSession,
winston: Winston,
speakeasy: speakeasy,
ConnectRedis: Sinon.spy()
ConnectRedis: Sinon.spy(),
dovehash: Sinon.spy() as any
};
server = new Server();

5
test/unit/server/server/PublicPages.ts
View File

@ -1,7 +1,5 @@
import Server from "../../../../src/server/lib/Server";
import LdapClient = require("../../../../src/server/lib/LdapClient");
import BluebirdPromise = require("bluebird");
import speakeasy = require("speakeasy");
import Request = require("request");
@ -108,7 +106,8 @@ describe("Public pages of the server must be accessible without session", functi
session: ExpressSession,
winston: Winston,
speakeasy: speakeasy,
ConnectRedis: Sinon.spy()
ConnectRedis: Sinon.spy(),
dovehash: Sinon.spy() as any
};
server = new Server();

8
test/unit/server/server/Server.test.ts
View File

@ -1,7 +1,6 @@
import Server from "../../../../src/server/lib/Server";
import LdapClient = require("../../../../src/server/lib/LdapClient");
import { LdapjsClientMock } from "./../mocks/ldapjs";
import BluebirdPromise = require("bluebird");
@ -92,7 +91,7 @@ describe("test the server", function () {
"password").yields();
ldapClient.bind.withArgs("cn=test_nok,ou=users,dc=example,dc=com",
"password").yields("error");
"password").yields("Bad credentials");
ldapClient.unbind.yields();
ldapClient.modify.yields();
@ -106,7 +105,10 @@ describe("test the server", function () {
session: ExpressSession,
winston: Winston,
speakeasy: speakeasy,
ConnectRedis: Sinon.spy()
ConnectRedis: Sinon.spy(),
dovehash: {
encode: Sinon.stub().returns("abc")
}
};
server = new Server();